from the still-doesn't-make-sense dept

Last week, Google was ordered to deactivate someone's Gmail account, because Rocky Mountain Bank had totally screwed up and sent the Gmail account holder an email by accident, which contained all sorts of confidential information. It's still not at all clear how Rocky Mountain Bank made such a monumental screw up, but we'll leave that aside for now. On Monday, the two companies asked the judge for permission to restore the email, after they realized that the email in question had never been opened, and Google had deleted it from its servers. Case closed?

Well... not so fast. Paul Alan Levy, from Public Citizen, sees a number of serious problems with the whole episode, starting with the legal complaint in the first place -- which offered no opportunity for the email account user to speak up and argue for his or her own rights, against having the account deactivated. But just the legal proceedings themselves suffered from some serious problems:

First, the complaint. Rocky's complaint is based on the contention that, having botched its obligation to keep its own customers information secret, it was obligated under various state and federal banking regulations to seek to recover the information and prevent its further dissemination. The complaint further alleges that regulatory officials expressed their endorsement of efforts by the Bank to protect the confidentiality of the information. The complaint sought a declaratory judgment that Rocky Mountain was entitled to information about the account holder, and that Google was obligated to prevent use of the information sent to the account. It sought an injunction enjoining Google and the account holder from accessing or distributing the information mistakenly sent to the email account, and compelling Google to identify the account holder. But curiously absent from the complaint was any allegation about how either Google or the owner of the gmail account had violated the plaintiff's rights, or any assertion of a cause of action against either Google or the anonymous account holder, that would form the basis for granting relief against either. Nor did Rocky Mountain's papers explain why section 230 of the Communications Decency Act entitled it to bring an action against Google, or to obtain any relief against Google, even assuming that it had a claim against the gmail account holder. Without a cause of action and without a violation of the plaintiff's rights, why was Rocky Mountain entitled to relief, and why should the defendants be subjected to an injunction? Neither the complaint, nor the brief in support of the TRO, explains this.

Second, the lack of federal court jurisdiction. Although the complaint identified only Google as a defendant, Rocky Mountain asked for relief against the anonymous gmail account holder, which is obviously, therefore, a defendant just as Google was. Indeed, if either Google or the account holder was the right defendant here, it is the account holder. But this poses a serious problem, because the law is clear that a Doe defendant cannot be sued under diversity jurisdiction. If there had been any party with any incentive to protect the Doe's rights in this case, that party could have pointed this jurisdictional defect out to the Court, which would therefore have been obligated to dismiss the case instead of issuing a TRO.

Oops. And, from there, Levy also wonders why Google was so quick to roll over without trying to defend the user's rights:

Rocky Mountain's papers recount that it asked Google for help freezing the account and identifying the account holder but that Google refused to do so without "a valid third party subpoena or other appropriate legal process." Yet despite the filing of plainly defective papers, there is no indication in the publicly filed papers that Google either opposed the requested order or insisted that it be given the opportunity to notify the Doe gmail user so that he or she could obtain counsel and oppose the requested order. Nor do the papers contain any discussion of efforts to notify either Google or the anonymous user about the requested order, even though Rule 65(b)(1) of the Federal Rules of Civil Procedure requires either notice to the parties sought to be enjoined, or a compelling explanation of why notice was not possible. (Because the Bank noticed the problem on August 13, and waited until September 17 to file its suit, it is hard to believe that a few more days' delay to give proper notice would have been catastrophic). And within a day of the issuance of the order (one day before the compliance deadline), Google provided the court with a document explaining how it had complied with the TRO and asked, jointly with Rocky Mountain, that the TRO be vacated.

Indeed. It's certainly understandable why everyone wanted to make sure the data was not compromised, and in this case, it sounds like the account in question was probably inactive or rarely used (or the email went to spam). So everything may have ended up okay. But that's no excuse for potential violations of an individual's rights in trying to correct a mistake by the bank.

Re:

see, i sorta predicted something similar, i mean why do people asume we all know and check everything we get i mean if i get info from a bank i don't have an account with i inmediately delete it.. just not my business.

Re:

I haven't seen anyone ask what this would mean if the email was accidentally sent to a personally owned URL. While that makes it far less likely to occur (unless it was plainly choosing the wrong address from a list), it seems crazy that joe@joescarparts.com should be taken to court for receiving an improperly sent email.

Re:

I can't believe the civil liberties and civil rights groups are not in an uproar about what is a blatant violation by both the bank and the govt who actually issued the subpoena with no supporting information, this is a show of whom rights are more important then who's.

Re:

I agree, this should terrify all users of gmail or even of google's services, obviously their prioritites lie in appeasing those companies with money and influence. I would have thought that this raises an issue of who actually 'owns' the email account for services such as these and where the lines of privacy/ownership get drawn for cases such as these.

In a way it is nice that the email address is domant because this process can be hammered out without some poor Joe Bloggs stuck in the middle. The principles and actions can and should be scrutinised (as they are slowly being) to avoid these cases becoming more prevalent everytime a company screws up monumentally.

Re: Re:

^ "I agree, this should terrify all users of gmail or even of google's services, obviously their prioritites lie in appeasing those companies with money and influence."

Did I miss something? Google didn't want to give anything out, they only took action upon court order. How are they appeasing a company with money and influe- oh, I suppose if you count the courts/government as a business.

Re: Re: Re:

I think what your missing is that Google was willing and eager to accomodate the bank's demands, but wanted the CYA of a court order to do it. Otherwise, Google would have argued against the court order.

Re: Could this be done intentionally?

Could a company intentionally mailbomb another company with confidential information... then go to the ISP and have their email system shut down on the same basis?

You're overlooking the fact that it takes a court order and most judges apply a different standard to companies than they do to individuals: They'll screw an individual over in ways that they'd never dream of doing to a company.

Re:

Obviously the bank was at fault. Why is anyone else being punished? And why ISN'T the bank?

To me, it just seems like it's a case of "a big oops happened, now someone has to pay. How can we engineer that?"

Well, banks contribute big to political campaigns. Banks get away with things like 'payroll' advances while they try to pay off legislators to ban competition. It's because bankers bascially run this greedy world, so they get their way.

If there are a couple things anyone should learn about this:

1. DO NOT use Google for ANY sensitive email at all period - I have already changed my bank over to another email address - my ISP.

2. Avoid that bank at all costs - if they screw up, they'll do a half-ass job at protecting you - I for one, would certainly not consider this case 'closed' just because Google supposedly deleted an 'unread' email.

Re: Re:

"1. DO NOT use Google for ANY sensitive email at all period - I have already changed my bank over to another email address - my ISP."

Ha! If you trust your ISP any more than Google, then you fail at life. The point is not to send ANY unencrypted confidential data over insecure (read: ALL) lines. Anything short of end-to-end encryption can't be considered confidential. If you think your ISP wont go into CYA mode the moment they get a court order, you're bound for disappointment.

"2. Avoid that bank at all costs"

The is the real lesson to be learned. You can't fault any business for following court orders. You can only fault the business who distributes confidential information willy-nilly over insecure means.

You can't blame IE for that spyware you click-installed, you can't blame email for that drunken rant to your ex, and for the same reasons no one can blame Google for anything that happened in this Bank vs. Doe case.

Re: Why are they emailing such information?

@dwind: Your statement carries the assumption that physical mail is any more secure than electronic messaging, and that assumption is false. There's plenty of ways to surreptitiously read both mediums, without either the sender or receiver knowing about it. Faxes and phones can also be tapped, and thus are equally insecure. The only safe form of communication is encrypted messaging, where the receiver has exclusive access to the primary key. PGP and SSL are the standard methods, and can be applied to any medium, though they are applied most easily to email and web communications.

Re: Why are they emailing such information?

I regularly tell my customers that regarding email, if they don't want to read it on the front page of the Washington Post tomorrow, don't email it. Of course, using encryption is really the answer, but most people don't know how to use it, and our employer doesn't encourage confidential information to be sent via email anyway.

"4.3 As part of this continuing innovation, you acknowledge and agree that Google may stop (permanently or temporarily) providing the Services (or any features within the Services) to you or to users generally at Google’s sole discretion, without prior notice to you. You may stop using the Services at any time. You do not need to specifically inform Google when you stop using the Services.

4.4 You acknowledge and agree that if Google disables access to your account, you may be prevented from accessing the Services, your account details or any files or other content which is contained in your account."

And...

"8.3 Google reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service. For some of the Services, Google may provide tools to filter out explicit sexual content. These tools include the SafeSearch preference settings (see http://www.google.com/help/customize.html#safe). In addition, there are commercially available services and software to limit access to material that you may find objectionable."

Although I find this episode to have been handled quite badly, I don't think Google did anything wrong. Per their TOS, everything they did was well within their own power legally. I sort of remember reading this years ago when I signed up and it didn't really bother me then and it doesn't really bother me now. It's not like I rely on my email account to perpetually store confidential info. I save copies of important emails locally on my computer and really only would keep copies in my email account for convenience sake. Overall, I think the only person who screwed up here is the bank and that is where the focus should be.

Re:

It doesn't matter if it's legal or not. The implication is that they're suspending your service because either 1) you did something wrong or 2) they just don't want to continue providing the service (to anyone). If they said "hey, we decided you can't have an email with us because we read your messages and determined you're a Jew" there's no TOS that's going to prevent a lawsuit.

In this case, while Google may not be at fault and while there may not be a legal recourse (I seriously hope there's a way to countersue the bank, and/or get the stupid judge some sort of reprimand... too bad judges are pretty much gods) it's still bad for business.

Yet another demonstration

It's yet another demonstration of why nobody should trust Google with critical information. One should think twice about trusting any third party with important data (and why "cloud computing" is such a terrible idea), but particularly not Google, among others.

Thanks for the TOS

Seeing the TOS posted makes it clear that Google had the power to do what they did, however it still worries me that just because it is sensitive commercial information that somehow that allows a company/bank to get a court order to make Google act.

Does this mean the next time I hit send on some innappropriate email if I've got the $$$ I can get it deleted by court order? What did the bank prove to the court that forced Google to act?

The banks system failed, no one elses. As Scarr pointed out: "I haven't seen anyone ask what this would mean if the email was accidentally sent to a personally owned URL". Does this mean my website host has the same power as Google in this sort of case?

This whole thing has been an insipid waste of time, including ours for following it. Google should have seen the email was unread, and deleted it off its servers once validating the sender. Case closed.

Re:

This whole thing has been an insipid waste of time, including ours for following it. Google should have seen the email was unread, and deleted it off its servers once validating the sender. Case closed.

But are there email clients that can 'read' the email and not mark it read (like as in the preview pane in Outlook)? Or can they tell if you change the email back to 'unread'?

Re:

I agree, I think everyone is making an entirely too big issue out of what Google did.

No matter what Google does they're faced between a rock and a hard spot. If they do nothing they can be accused of allowing sensitive information to be revealed to someone unnecessarily. That can cost them damages. If they do something, like temporarily disable the account or delete the E - Mail, that can also be a privacy issue. Google, as far as I can tell, ALMOST did the right thing, the only thing they should have done better is instead of closing the account altogether, find the specific E - Mail (ie: write some software to look for it without anyone having to read any other E - Mail) and delete only that specific E - Mail after ensuring it hasn't been read.

This isn't rocket science. Google appealing the process opens the door to the recipient reading the E - mail since appeals waste more time. That can be more liability for Google. They have to mitigate the damages ahead of time and they did. Stop being so hard on Google. BANK OF AMERICA SCREWED UP, NOT GOOGLE!!!!

Re: Re:

and it's also not like google did anything to initiate this situation (ie: filing a lawsuit), this situation was initiated upon them and they responded the best they could given the time constraints and the time required to think of the best way to respond on the fly.

Since we're not ever going to see the Doe come forward in this case to actually stand up for their rights, who has the right to file on their behalf for damages? It would be nice to see the bank and google each forced to pony up to fund a legal scholarship for someone wanting to study Copyright/IP law.

Of course, that raises the issue of 'what are fair damages?' - individuals and corporations are extremely different when it comes to what actual dollar figures represent so it seems the only fair way to determine this would be to say that the Doe was offlined for x days. The bank and Google should each be required to pay (x/365)*(GrossEarnings), effectively offlining them for those days as well.

If there's no fiscal consequences, there's no incentive for this not to become a DoS attack.

Banks responsibility

It seems to me that the bank should be held to account for lack of effective data protection measures? They should not be e-mailing that kind of detail to ANYONE. Furthermore they should not be ABLE to e-mail that kind of detail. A complete breakdown of IT security policy, practice and systems ... THAT is what should be in the courtroom !!

Missing the Point

This isn't about what Google did. Any company would, it was a court order. The fact that the court issued the order is the disturbing part.

What if the email had been opened? Should they search this person's personal computer? Perhaps the person printed it. Their house must be searched! Perhaps they gave a copy to their friend or YOU!

If the government ever needs probable cause to search you or your belongings they can now just text you something sensitive by "accident".

In my opinion the gmail account holder has done nothing wrong and until they do something illegal with the data they should be left alone. If the user wants to save the data, or incorporate it into their latest work of art and hang it on their wall, or whatever, if it's not illegal then the government should keep out.

Once the bank has suffered actual damages or a law has been broken then the courts should get involved.